github Pennyw0rth/NetExec v1.5.0
on GitHub

6 hours ago

What's Changed

  • Add missing Pillow package to binary workflow by @NeffIsBack in #644
  • Update nfs.py by @bandrel in #645
  • fix: Refactor output file path construction in SMB protocol by @moscowchill in #650
  • Added more AV Signatures by @n00py in #660
  • Update database.py by @nikaiw in #658
  • Fix bunch of stuff from ippsec and 0xdf writeup for vintage box by @mpgn in #663
  • Fix pfx output path on windows by @NeffIsBack in #665
  • Fix authentication with an empty domain by @NeffIsBack in #667
  • Update pylnk3 to remove debug print by @NeffIsBack in #669
  • Upgrade the schtask_as module so that we can upload binaries and execute them by @Dfte in #668
    • You can now customize the command and binary that is executed, so you can provide your custom executables with its flags
  • New change-password module. by @KriyosArcane in #512
    • STATUS_PASSWORD_MUST_CHANGE locking you out is a thing of the past, just reset the password
  • Fix domain trust with kerberos in ldap by @NeffIsBack in #677
  • remove old server code unused by @mpgn in #662
  • Add a check if the database scheme contains the unique attribute by @NeffIsBack in #681
  • Disable signing in LDAP temporarily by @NeffIsBack in #682
  • Automatically preserve state of "advanced options" on the target by @NeffIsBack in #686
    • MSSQL execution will automatically backup and restore the "advanced options", as well as the "xp_cmdshell" options to preserve the original settings of the target server
  • Add option to --spider and add recyclebin.py module by @Dfte in #463
    • The admin finally deleted the password.txt on the desktop? Well, if the recyclebin wasn't emptied you are in luck...
  • new module: mssql > enable_cmdshell by @crosscutsaw in #557
  • fix(ntlm): include server hostname in Workstation field of Authentication by @cyberG33k02 in #694
  • Fix winrm database logic by @NeffIsBack in #696
  • eventlog_creds Module by @lodos2005 in #452
    • If process creation auditing is enabled, there can be hidden gems (credentials) in the event log. This new modules will find them for you.
  • Updated whoami and find-computer modules by @Cyb3rC3lt in #695
  • Update PULL_REQUEST_TEMPLATE.md by @NeffIsBack in #699
  • Fix ldap simple auth with base object by @mpgn in #670
  • update ntdsutil.py to behave like --ntds by @crosscutsaw in #691
  • Add Badsuccessor module by @mpgn in #702
    • Checking for BadSuccessor made easy!
  • Fix logging port and also update the port when switching to LDAPS by @NeffIsBack in #703
  • Switch LDAP source to fixed version by @NeffIsBack in #704
  • Check for win server 2025 instead of DFL 2025 by @NeffIsBack in #705
  • Improve eventlog_creds by @NeffIsBack in #706
  • Fix hostname info if no ntlm and not resolution by @mpgn in #671
  • Make nxc compatible with bloodhound-ce zip by @mpgn in #664
    • BloodHound Community Edition is taking over and now we also support its collector. If you want to swap to the legacy collector, change the config setting.
  • Update Ruff and Fix Linting by @NeffIsBack in #629
  • Switch impacket branch to Pennyw0rth fork by @NeffIsBack in #707
  • Fix spec file by @NeffIsBack in #710
  • REopen Update --dc-list Now check trusted domains DCs by @termanix in #666
    • Integration of domain trust into the --dc-list flag
  • Ldap checker removal by @zblurx in #709
    • Built-in checks for LDAP signing and channelBinding requirements in the host banner!
  • Add base_dn option to subnet module by @NeffIsBack in #714
  • Update kerberoast command output to be idiomatic by @t94j0 in #711
  • Enable asreproast with anonymous ldap logins by @NeffIsBack in #712
  • Fix querying when non searchResultEntries are returned by @NeffIsBack in #717
  • Move version log after file logger is attached by @NeffIsBack in #722
  • Add error handling if we can't mount share with --ls by @NeffIsBack in #724
  • new module: smb > presence by @crosscutsaw in #561
    • Admins are breaking the tier infrastructur? Now you have a module to check for such artifacts
  • Fixing --generate-hosts-file smb option by @Mojo8898 in #725
  • Refactoring nxc path and adding support for XDG Base Directory - addressing issue #558 by @d4ytox in #649
  • Add new SMB module to extract GPO deployed privilege assignments by @Yeeb1 in #493
  • Add efsr_spray module by @rtpt-romankarwacik in #718
  • Fix dns resolution when finding 2025 dc by @NeffIsBack in #737
  • New module: AWS Credentials Finder by @dev-fortress in #455
  • Skip cbt check if port explicitly set to 389 by @NeffIsBack in #741
  • New SMB Module Notepad by @termanix in #608
    • This module extracts the contents of unsaved notepad files, similar to the notepad++ module
  • Fix function to check if hosts is a dc or not by @mpgn in #739
  • Fix conn reset error on windows if dc doesnt have tls cert by @NeffIsBack in #743
  • Fixed minor typo in issue template by @Reelix in #747
  • Fix #744 by @zblurx in #745
  • Add Kerberoasting support with no-preauth user by @azoxlpf in #719
    • You can now kerberoast even without valid credentials. How? Use an account which does not require pre-authentication.
  • Fix two minor bugs by @NeffIsBack in #750
  • Update mssql enum login by @mpgn in #755
  • Update flag to better understand by @mpgn in #756
  • Fix enum_links module privilege requirement by @zblurx in #760
  • fix hashcat/John format for TGS-REP by @azoxlpf in #765
  • Update wcc.py by @v3gahax in #766
  • Fix winrm's ps_execute() to return output by @tiagomanunes in #767
  • Only display success message if accounts found by @NeffIsBack in #772
  • fix: color SMB STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT as magenta by @azoxlpf in #773
  • Image size improvements and pinned Netexec version by @kaisersource in #735
  • State that using a BINARY for schtask_as is optional by @NeffIsBack in #775
  • Update bitlocker.py - Corrected BitLocker EncryptionMethods by @Powett in #774
  • Add module to find the entra-id sync server by @NeffIsBack in #763
    • You want to pivot into entra id? Find the server with the new entry-id module and dump its sync credentials with the msol module.
  • Patch --qwinsta --tasklist stack trace by @Dfte in #777
  • Add the taskkill option by @Dfte in #779
    • Your payload hangs? Just kill the process from remote.
  • Add process filtering in --tasklist by @Dfte in #782
  • setRemoteName to avoid Kerberos SPN resolution error in rid_brute by @azoxlpf in #784
  • Patches the --filter-shares so that it correctly finds READ,WRITE perm by @Dfte in #787
  • Allows --qwinsta to filter for a specific user by @Dfte in #783
  • Add get-info-users module by @sepauli in #769
    • Passwords can be found everywhere in LDAP, for example in the "info" attribute of a user. This new modules will query these fields for you.
  • fix(ldap): support get-sid and admin flag when using --use-kcache by @azoxlpf in #789
  • [WCC] Improve NBTNS check and add LLMNR check by @fpreynaud in #701
  • add huge disclaimer to issue template by @Marshall-Hallenbeck in #795
  • new module: ldap > dump-computers by @crosscutsaw in #556
  • docs: add deprecation change type and clarify e2e tests checklist by @Marshall-Hallenbeck in #794
  • Add entra id sync credentials extractor by @NeffIsBack in #764
  • deprecation: remove the horrible opsec flag by @mpgn in #788
  • Refactor get-network and fix encoding by @NeffIsBack in #803
  • Switch pso module to core feature by @mpgn in #798
  • Removing the horrible multiple hosts option by @mpgn in #804
  • Fix veeam script if there is no salt reg key by @NeffIsBack in #808
  • Slinky set lnk target by @Geetub in #800
  • Add ldap parsing to daclread by @NeffIsBack in #811
  • Fix NFS Network Value by @termanix in #813
  • Fix command execution in wmi by @NeffIsBack in #812
  • Update LDAP find-computer Module by @termanix in #805
  • Add raw-ntds-copy module by @0xb11a1 in #468
    • AV blocks access to the SAM/SECURITY/SYSTEM registry hives? This module will mount the disk and parse its raw content to extract the sam, lsa, and NTDS secrets! Also available for the WMI and WINRM protocol!
  • Refactor WMI protocol execution by @NeffIsBack in #820
  • Add WMI to ntds_dump_raw module by @NeffIsBack in #821
  • Add TARGET option to ntds-dump-raw to dump LSA/SAM hashes by @0xb11a1 in #828
  • docs(contributors): add termanix and dfte to awesome contributors by @Marshall-Hallenbeck in #835
  • Refactor smb spider by @haytechy in #729
  • Add null-auth info to host banner by @NeffIsBack in #836
    • The server allows authentication without credentials? This is now automatically displayed in the host banner
  • Improve daclread: also allow passing a file for TARGET_DN, and refactor by @tiagomanunes in #832
  • Rework atexec and -M schtask_as to rely on a single TSCH_EXEC class by @Dfte in #818
  • Add 'Warning' rule to linting by @NeffIsBack in #838
  • Fixed typo in smb.py by @x-ticker in #841
  • Fix dpapi by @NeffIsBack in #844
  • Revert "Merge pull request #729 from haytechy/refactor_SMBSpider" by @NeffIsBack in #845
  • Add --reg-sessions option to SMB protocol by @MaxToffy in #824
    • Until now session enumeration required admin privileges on the host. The new --reg-sessions option enumerates them with normal user privileges!
  • Added DUMP_TICKETS flag to lsassy module by @gatariee in #833
  • Add --database option to MSSQL protocol by @A3-N in #847
    • Built-in options for database enumerations for the MSSQL protocol
  • Fixing the bug report issue template, currently not present on github by @NeffIsBack in #850
  • remove ntds warning as it is solved now by @mpgn in #853
  • Fix typo by @NeffIsBack in #855
  • [SMB] Added new smb module to enumerate active network interfaces over SMB by @fulc2um in #846
  • Update schtask_as.py to help bypass detection by @Kahvi-0 in #721
  • Add ability to execute commands via RDP by @Adamkadaban in #676
    • You can now execute commands using the RDP protocol!
  • Added the lockscreendoors module by @E1A in #837
  • Update Masky module to 0.2.1 (fix warning message) by @Z4kSec in #858
  • add guest check on recon by @mpgn in #856
    • Automatic checks if the guest account is enabled, if the config flag is configured in ~/.nxc/nxc.conf
  • Update gpp_password.py by @P4cm4n90 in #867
  • fix(ldap): return False for general OS errors by @Marshall-Hallenbeck in #876
  • Show success messages when krb conf is saved. by @adityatelange in #863
  • Fix aardwolf logging by @NeffIsBack in #898
  • Fix stacktrace with anon auth and using gmsa by @NeffIsBack in #899
  • Refactor to use internal ldap search function to prevent stack traces by @NeffIsBack in #900
  • fix(printnightmare): do not exit thread on failure to bind so other modules can run by @Marshall-Hallenbeck in #884
  • fix(dc_list): disable automatic configuration of DNS so we can point it to the target by @Marshall-Hallenbeck in #875
  • Fix 879 by @NeffIsBack in #901
  • Unnecessary file by @lodos2005 in #904
  • Fix poetry run pytest & adding tests to ntds-dump-raw module by @0xb11a1 in #830
  • display group description for --groups by @Marshall-Hallenbeck in #885
  • Remove efsr_spray module, superceded by simply using EPM map on the EFS interface by @rtpt-romankarwacik in #866
  • Add module categories by @NeffIsBack in #859
    • The number of modules keep growing and growing. We introduce module categories to help keeping it organized.
  • Add ldap pass-pol option #868 by @mpgn in #877
  • Updated schtasks_as.py to control if output will be provided by @SGMG11 in #907
  • New module: SCCM enumeration on DP and PSS with winreg by @Mauriceter in #586
  • [New Module] CVE 2025 33073 by @Mauriceter in #905
    • New module to check if the NTLM reflection attack has been patched!
  • Fix MAQ module crash by @azoxlpf in #909
  • Enforce that category is one of the enums by @NeffIsBack in #916
  • fix(enum_ca): properly return false if theres an error with fetchList by @Marshall-Hallenbeck in #887
  • fix(webdav): handle transport errors and prevent session crash by @azoxlpf in #914
  • catch BrokenPipe and transport errors to prevent session crash by @azoxlpf in #918
  • Resolve hostname to IP in dc_list when no --dns-server is given by @azoxlpf in #911
  • Allow kerberoasting on specific users by @Marshall-Hallenbeck in #912
  • Minor bug fixes by @NeffIsBack in #920
  • Stop logging NXDOMAIN multiple times in DNS resolution by @azoxlpf in #851
  • Allow kerbroast computers by @NeffIsBack in #919
  • Fix missing , by @Dfte in #929
  • Add certificate request options to schtask_as by @Dfte in #908
    • Instead of executing commands in the context of another user you can just request a certificate in their context. This allows you to directly impersonate them on any machine.
  • enum_av module: add checkpoint indicators by @joaovarelas in #932
  • [NTLM reflection] Fix false assumption over smb signing by @Dfte in #935
  • Add dedent for easier reading by @Dfte in #937
  • Striped by @Dfte in #938
  • Use SMBv1 in enum_host_info to get Windows version from smbv1 by @NeffIsBack in #946
  • Add certipy module with 'find' implementation by @NeffIsBack in #857
    • ADCS is still a major attack vector for threat actors. This module integrates the certipy "find" command to give an easy overview over the existing certificate templates and (mis-)configurations.
  • Readd removed code by @NeffIsBack in #951
  • Catch dns resolver issue when domain can't be resolved by @NeffIsBack in #952
  • Add stderr printing to winrm execution by @NeffIsBack in #957
  • Fix winrm output for powershell by @NeffIsBack in #961
  • Query the samaccountname instead of queryint the name and appending the dollar sign by @NeffIsBack in #969
  • feat(schtask_as): improve ADCS certificate handling and PFX retrieval by @azoxlpf in #962
  • Update dump-computers.py by @crosscutsaw in #941
  • Refactor filename templating by @NeffIsBack in #970
  • Fix Procdump by @NeffIsBack in #975
  • Changed print() statements to new print-only logging method by @danwroy in #925
  • Fix nxcdb signing export by @NeffIsBack in #977
  • Fix RDP execution without output by @NeffIsBack in #983
  • fix: Correct typos in WINRM argparse by @augustus-7613 in #988
  • enum_av module: add FortiClient and FortiEDR indicators by @Janrdrz in #990
  • Fix dir listing on NFS by @NeffIsBack in #991
  • Database rework by @zblurx in #727
  • Add LDAP signing and LDAPS channel binding info to db by @stfnw in #982
  • Fix encoding issue and use proper LDAP attr parsing in SCCM module by @NeffIsBack in #994
  • Polish #895 and fix numerous bugs by @NeffIsBack in #995
  • Add raisechild module by @azoxlpf in #792
    • Automatic cross-forest privilege escalation!
  • Fix Kerberos authentication handling in certipy-find by @azoxlpf in #981
  • Switch impacket back to fortra by @NeffIsBack in #998
  • Add error checking to mssql_exec by @NeffIsBack in #997
  • Make --debug and --verbose mutually exclusive by @NeffIsBack in #1000
  • added support for --generate-st and --delegate-spn flags by @gatariee in #825
  • New module : drop-library-ms by @XedSama in #657
    • This module implements yet another technique to force Windows into sending credentials to you
  • Remove useless option group subtitles by @NeffIsBack in #1004
  • feat(db): modified the change-password module to modify the password in DB by @lap1nou in #1005
  • enum_av module: add Kaseya EDR Agent indicator by @Janrdrz in #1009
  • Fix import to fix sqlalchemy deprecation warning by @NeffIsBack in #1010
  • feat(db): adding add-computer credential by @lap1nou in #1008
  • Update firefox.py for new AES-256-CBC encryption (fix dpapi error) by @hilarex in #968
  • Add MSSQL LSA and SAM dump by @NeffIsBack in #1003
    • Do you have Admin privs on an MSSQL server? Then you can now dump SAM and LSA secrets conveniently with the new --sam/--lsa flags
  • Fix sam/lsa dump if user is not local admin by @NeffIsBack in #1011
  • fix: MSSQL db fix by @lap1nou in #1012
  • Fix bug when using delegation by @NeffIsBack in #1014
  • Fix issues with transferring large or non-UTF-8 data over NFS by @lebr0nli in #1017
  • Add credential manager dump feature to winrm protocol by @tiagomanunes in #768
    • You can now dump (some) dpapi secrets via WinRM!
  • Remove duplicate module by @NeffIsBack in #1022
  • Fix/mssql xpcmdshell permission check by @azoxlpf in #960
  • Fix NetBIOS resolution in raisechild by @azoxlpf in #1025
  • --no-admin-check flag for smb to disable the "admin check" with SC_MANAGER_ALL_ACCESS which is done by default by @4zuk4m in #1026
  • enum_av : add WithSecure Elements detector by @Testeur-2-stylos in #1020
  • Update impacket by @NeffIsBack in #1027
  • Insert FQDN instead of NETBIOS name into winrm db by @NeffIsBack in #1028
  • BUG Fix: VNC, better handling of RFB 3.3 by @Mauriceter in #943
  • Fix accidental creation of empty workspace by @NeffIsBack in #1033
  • Add --history option for NTDS by @KriyosArcane in #759
    • You can now also dump AES Kerberos keys and the password history of users from the Domain Controller.
  • [MSSQL] Add EncryptionReq flag to MSSQL proto by @Dfte in #939
    • Encryption requirements will now be displayed automatically in the host banner
  • added support for LDAP simple auth by @c4pit0ch3f in #648
  • Added share exclusion functionality by @MickeyDB in #680
  • Add AES key support for golden ticket forging by @azoxlpf in #1034
  • enum_av module: add Malwarebytes EDR Agent indicator by @Janrdrz in #1040
  • New module dns-nonsecure by @MaxToffy in #1038
    • This module will automatically discover DNS zones where you can add records without any authentication!
  • Small logging adjustment by @NeffIsBack in #1046
  • NXCDB RDP hosts by @Dfte in #1039
  • Release version 1.5.0 - Yippie-Ki-Yay by @NeffIsBack in #1048

New Contributors

Full Changelog: v1.4.0...v1.5.0

Check out latest releases or
releases around Pennyw0rth/NetExec v1.5.0

Don't miss a new NetExec release

NewReleases is sending notifications on new releases.

Get notifications